Cybersecurity

Following the success of some initial, smaller-scale efforts, the U.S. Air Force is pursuing zero trust architecture on a level not seen before. The service’s Air Combat Command is leading the charge into many more initiatives with a comprehensive view to employ zero trust architecture across its bases, weapon systems and missions.

A delayed focus on IT modernization could create a gap between frequent high-impact cyber breaches and the U.S. Department of the Navy’s preparedness to address them. From the SolarWinds hack to ransomware, new cyber threats emerge almost weekly. Advances in technology to help defend against such threats occur so quickly that current acquisition and infrastructure programs cannot keep pace.

Cybersecurity program managers are facing the dilemma of appropriately balancing compliance with threat tracking and mitigation. Today, amidst the ever-growing problem of data breaches, organizations are investing in protection. But simply complying with security and privacy standards seldom means systems and data are automatically secure.

Cyber education and training should begin not in college, not in secondary school, not in middle school, not in elementary school, but at home as soon as children are able to view or use social media, say some experts. This training is important not just to lay the groundwork for future cybersecurity professionals in a field starved for expertise, but also to instill good cyber hygiene habits that can be passed on to other family members.

The massive cyber attack on the United States via information technology vendor SolarWinds continues to send shockwaves through the departments of Defense, State and Homeland Security as well as other agencies. Damage assessments are ongoing. If the U.S. government in general and Defense Department in particular are to successfully defend against attacks by well-funded, patient and highly motivated enemies, they will need to change their approach to defending their networks and systems.

The U.S. Department of Defense is looking at additive manufacturing technologies to rapidly prototype and build equipment components and increasingly, to potentially make replacement parts in the field.

While additive manufacturing, the ability to build plastic and metal parts by depositing a fine spray of material, has been used by the aerospace and defense sectors for some time, the capability is now becoming more portable. One such project is the U.S. Marine Corps’ X-Fab effort, which uses a shipping container loaded with compact additive manufacturing equipment that can be shipped anywhere in the world to make replacement parts.

Software-defined networks, commercial satellite communications, cognitive electronic warfare, intelligent radios and artificial intelligence applications all potentially offer the military advanced capabilities for the tactical environment, say Johns Hopkins University Applied Physics Laboratory’s (APL’s) Julia Andrusenko, chief engineer, Tactical Wireless Systems Group, and Mark Simkins, program manager, Resilient Tactical Communications Networks. 

NATO is at risk of losing its technology edge because of emerging and disruptive technologies increasingly developed within the civil sector. The growth of peer competitors’ determination, especially China, and the decline of technology education in Western countries are eroding the advantage they once skillfully held.

To address this state of affairs, the organization’s defense ministers are examining a number of activities. As a part of this initiative, the NATO Industrial Advisory Group (NIAG) conducted a study to provide the industry view of the implications of emerging and disruptive technologies (EDTs) and Chinese advances in defense operations and military capability development.

The Boeing Co., St. Louis, Missouri, was awarded a $10,579,798 modification (P00004) to contract W58RGZ19F0045 to integrate, test, upgrade and field functional hardware and software technology improvements and cybersecurity controls, to the Longbow Crew Trainer Generation Four and Generation Five fleets. Work will be performed in St. Louis, Missouri, with an estimated completion date of April 2, 2022. Fiscal year 2019 aircraft procurement (Army) funds in the amount of $10,579,798 were obligated at the time of the award. U.S. Army Contracting Command, Redstone Arsenal, Alabama, is the contracting activity.

Cyber Systems and Services Solutions, Bellevue, Nebraska, has been awarded a $17,765,741 firm-fixed-price and cost-plus-fixed-fee modification (P0010) to contract FA8773-18-D-0002 to exercise Option Three for defensive cyber realization, integration and operational support services. Work will be performed at Joint Base San Antonio (JBSA)-Lackland, Texas, and is expected to be completed February 28, 2022.  This modification is the result of a competitive acquisition and seven offers were received. Fiscal 2021 operation and maintenance funds in the amount of $8,764,731 are being obligated at the time of award. The 38th Contracting Squadron, JBSA-Lackland, Texas, is the contracting activity.

Booz Allen Hamilton Inc., McLean, Virginia, has been awarded a $21,744,548 cost-plus-fixed-fee modification (P00032) to contract FA8750-17-F-0105 for enterprise exploitation and information assurance. This contract modification provides for additional hours to facilitate development of electro-optical emerging data sources as part of the Assured Cyber Enterprise for the Intelligence Community Program.  Work will be performed in McLean, Virginia, and is expected to be completed September 28, 2021. Fiscal 2020 research, development, test and evaluation funds in the amount of $74,381 are being obligated at the time of award.

The cybersecurity of civil government, critical infrastructure and business infrastructure remains uneven. Worrying reports of ransomware affecting city and county governments as well as local health care organizations have put leaders and administrators, and infrastructure operators on edge.

The Defense Digital Service (DDS) and HackerOne announced the launch of the DDS’s latest bug bounty program with HackerOne. It is the eleventh such program for DDS and HackerOne and the third with the U.S. Department of the Army.

Hack the Army 3.0 is a security test— time-bound and hacker-powered—aimed at revealing vulnerabilities so they can be resolved before they are exploited by adversaries. The bug bounty program will run from January 6, 2021, through February 17, 2021, and is open to both military and civilian participants.

Emerging technology, state actors such as Russia and China, and nonstate actors including ISIS, are often quoted as some of the greatest threats to computer and network security. But before the United States can engage with these threats effectively, the war against words must take place.

One place to start is by eliminating the word “cyber” as a descriptor. The term has been used and overused, manipulated and exploited so many times and in so many places, it has become meaningless. What individuals or organizations mean or want when they use it is impossible to say. It’s time to scrap the word altogether and instead specify technical concepts at a more granular level.

Innovative ideas may hold the key to thwarting cyber adversaries emboldened by opportunities offered in the COVID-19 pandemic. And, the source of these innovative approaches may be diverse personnel who break the mold of conventional cybersecurity professionals.

Adversaries are stepping up their efforts to exfiltrate information and weaken the U.S. supply chain through cyberspace. These efforts aim to both wreck the country from within and strengthen the hand of the adversary wielding the digital sword, according to a U.S. government official.

New government security measures are designed with these challenges in mind, and they can help secure targeted small businesses. The Cybersecurity Maturity Model Certification (CMMC), which is rolling out, is designed to help mitigate the effects of adversarial activities in cyberspace.

Anyone moving through the ecosystem of software development and cyber over the last few decades has heard cool words to describe it: Waterfall, Cobalt, Agile, DevOps and now DevSecOps.

DevSecOps may be the latest term but the idea behind it remains constant: Security should be a priority from the start.

While the world was facing the rapid and deadly spread of the severe acute respiratory syndrome coronavirus 2, most commonly known as COVID-19, malicious cyber attackers were also at work, increasing the number of attacks, switching methods, taking advantage of the boom in Internet, network and email users, and playing on fears during the uncertain time, cybersecurity experts say. Companies struggling to maintain operations are still leaving gaps in digital security, they warn.

Users need to transition all networked computing from the commercial central processing unit addiction to pure dataflow for architecturally safe voting machines, online banking, websites, electric power grids, tactical radios and nuclear bombs. Systems engineering pure dataflow into communications and electronic systems can protect them. The solutions to this challenge are in the users’ hands but are slipping through their fingers. Instead, they should grab the opportunity to zeroize network attack surfaces.

Cybersecurity is now a significant area of focus and concern for senior leaders who have witnessed cyber events that have resulted in significant financial and reputational damage. However, for many organizations, data defense continues to be a technology-focused effort managed by the technical “wizards.” Board of director discussions often zero in on describing the latest cyber threats rather than taking a long-range approach.

But cybersecurity is more than a technical challenge. Enterprise risk management (ERM) is an effective tool to assess risks, including those with cyber origins, but few businesses or agencies use the technique for this purpose, cyber experts assert.

​​On both sides of the Atlantic, NATO and European leaders are struggling to address the threat posed to vital space systems by foreign hackers, cyber warfare and online espionage. Huge swathes of the global economy are utterly dependent on orbital capabilities like GPS that look increasingly fragile as space becomes more crowded and contested.

Enterprise modernization of the Navy's networks and systems is finally underway. Set to impact hundreds of thousands of uniformed and civilian users, it will consolidate many outsourced network service delivery mechanisms across the entire Department of the Navy (DON). The initiative aims to transform how services are delivered, provide a dramatically improved end user experience, and enable critical innovations long needed to accelerate the DON’s mission.

The U.S. Defense Department by the end of the calendar year will release an initial zero trust architecture to improve cybersecurity across the department, says Vice Adm. Nancy Norton, USN, director, Defense Information Systems Agency, and commander, Joint Force Headquarters-Department of Defense Information Network.

Norton’s agency, commonly known as DISA, is working with the National Security Agency, the Department of Defense (DOD) chief information officer and others on what she calls an initial “reference” architecture for zero trust, which essentially ensures every person wanting to use the DOD Information Network, or DODIN, is identified and every device trying to connect is authenticated.

The U.S. Air Force is experimenting with a zero trust strategy to provide additional digital protections. Zero trust architecture offers a higher level of cybersecurity, through limited per-session access, continuous monitoring, endpoint security and monitoring of network conversations, explained Col. James Lotspeich, USAF, chief technology officer, Air Combat Command (ACC), Directorate of Cyberspace and Information Dominance (A6).

Col. Lotspeich spoke about the ACC’s zero trust architecture efforts during AFCEA Tidewater’s July 2 virtual luncheon.